PERU Law and Practice Contributed by: Luis Ernesto Marín and Andrés Kuan-Veng, Rubio Leguía Normand
2.8 Outsourcing of Regulated Functions Generally, financial system and capital market companies may outsource several of the func - tions and responsibilities established in the applicable regulations; however, they assume full responsibility for the results of those pro - cesses outsourced to third parties and may be sanctioned for non-compliance. Entities Subject to the Supervision of the SBS Financial institutions may outsource several functions to third-party vendors. However, this activity is regulated by the SBS, which must be informed of such arrangements and, in certain cases, authorise them (eg, in case of outsourc - ing of the internal audit service or data process - ing abroad) and may carry out inspections of the premises and activities of the vendors. Despite this, the outsourcing of regulated functions does not release a financial institution from its obliga - tions vis-à-vis its clients and the SBS. Entities Subject to the Supervision of the SMV For entities under the supervision of the SMV, outsourcing regulations exist, requiring them to establish formal policies and procedures for assessing risk levels and implementing control mechanisms throughout the entire outsourcing period. It is important to note that these enti - ties assume full responsibility for all outsourced services, activities, and related management decisions. In the case of significant cloud outsourcing, enti - ties must possess access and audit rights and implement data and system security measures. They should also consider aspects related to data location, data processing location, chain outsourcing (when the outsourced provider sub - contracts parts of the service to other providers)
Autoridad de Protección de Datos Personales The Autoridad de Protección de Datos Person- ales (APDP) is another important regulator in the context of the fintech industry in Peru. The APDP is responsible for overseeing the protection of personal data and ensuring compliance with data protection laws and regulations. The APDP enforces the Personal Data Protec - tion Law ( Ley de Protección de Datos Person- ales ) and its regulations, aiming to guarantee the privacy and protection of personal data of indi - viduals. In the fintech industry, companies often collect, store, process, and share large amounts of personal data. As a result, fintech companies must comply with the data protection regula - tions set forth by the APDP. Depending on the specific services offered by a fintech company, other regulators or government agencies may be involved, such as the Ministry of Communications and Transport for issues related to telecommunications or the Ministry of Foreign Trade and Tourism (MINCETUR) for fin - tech activities related to the gambling industry. 2.7 No-Action Letters Regulators in Peru do not commonly issue no- action letters in the same manner as regulatory agencies in jurisdictions such as the United States. However, the Superintendencia del Mer- cado de Valores (SMV) and the Superintenden- cia de Banca, Seguros y AFP (SBS) may provide informal guidance or clarifications regarding reg - ulatory matters upon request. These responses do not carry the legal certainty of a no-action letter but may help industry participants under - stand regulatory expectations. Companies seek - ing formal regulatory clarity typically engage in direct consultations or regulatory sandbox pro - grammes to test their business models in a con - trolled environment.
629 CHAMBERS.COM
Powered by FlippingBook